Methods, signals, devices, and systems are provided for controlling access to objects and their attributes in a database. The database may be hierarchical, or it may have positional relationships based on a graph structure. In a hierarchical database possible positional relationships include child, parent, grandchild, and so on. A trustee field in an access control property of a target object is furnished with the positional relationship. A positional relationship is evaluated when an access request is made, and the binding of trustee object identifiers with particular targets through access control properties is thereby delayed until such binding is necessary to determine if the access request should be granted. The delayed binding may be combined with inheritance, with conventional access control lists, and with other familiar tools and techniques to enhance access control in the database of objects.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A method for controlling access to objects in a database, the computer-implemented method comprising the steps of: choosing a positional relationship in reference to a target object in the database; and furnishing a trustee field with the positional relationship in an access control property associated with the target object.
2. The method of claim 1, further comprising the steps of evaluating a positional relationship between the target object and a requester object in the database to obtain a target-requester relationship; and determining whether that target-requester relationship compares favorably with the chosen positional relationship.
3. The method of claim 2, further comprising the step of granting the trustee object access to the target object.
4. The method of claim 2, further comprising the step of denying a request by a requesting object to access the target object when the target-requester relationship does not compare favorably with the chosen positional relationship.
5. The method of claim 1, further comprising the step of evaluating the trustee field to identify a trustee object which is in the chosen positional relationship with the target object.
6. The method of claim 1, wherein the access control property specifies an access right, further comprising the step of denying an access request by a requesting object to access the target object when the access requested is not allowed by the access right specified in the access control property.
7. The method of claim 1, wherein the database is a hierarchical tree-structured database and the access control property specifies an inheritable access constraint.
8. The method of claim 7, further comprising the steps of applying the inheritable access constraint through inheritance and then evaluating a positional relationship to determine whether a requester is a trustee.
9. The method of claim 8, further comprising the step of granting a trustee object access to the target object.
10. The method of claim 8, further comprising the step of denying a request by a requesting object to access the target object when the trustee field does not identify the requesting object.
11. The method of claim 8, wherein the access control property specifies an access right, further comprising the step of denying an access request by a requesting object to access the target object when the access requested is not allowed by the access right specified in the access control property.
12. The method of claim 1, wherein the database is a graph-structured database and the access control property specifies an inheritable access constraint to be propagated between vertices of the graph.
13. The method of claim 1, wherein the step of furnishing a trustee field includes obtaining a storage location for the trustee field and storing an initial positional relationship value in the trustee field.
14. The method of claim 1, wherein the step of furnishing a trustee field includes overwriting a positional relationship value previously stored in the trustee field.
15. The method of claim 1, wherein the chosen positional relationship is a hierarchical relationship comprising at least one relationship from the group of relationships containing child and parent relationships.
16. The method of claim 1, wherein the chosen positional relationship is a graph relationship comprising at least one relationship from the group of relationships containing adjacent and connected to relationships.
17. The method of claim 1, wherein the chosen positional relationship is a directed graph relationship comprising at least one relationship from the group of relationships containing adjacent and reachable from relationships.
18. A database access control system comprising: a computer system having a memory and a processor; a database stored in the memory and susceptible to processing with the processor, the database including a target object, the target object having an access control property furnished with a trustee field to hold at least one positional relationship; and an access controller which grants or denies requests for access to the target object.
19. The system of claim 18, wherein the access controller comprises a trustee field evaluator which evaluates the trustee field to identify a trustee object which is in a positional relationship with the target object.
20. The system of claim 18, wherein the access controller comprises a positional relationship tester which determines if a requesting object is in the positional relationship with the target object.
21. The system of claim 18, wherein the access controller comprises an access rights tester.
22. The system of claim 18, wherein the access controller comprises an inheritable access constraint evaluator and the system comprises an inheritance propagator for propagating inheritable access control properties.
23. The system of claim 18, wherein database comprises objects arranged in a tree structure.
24. The system of claim 18, wherein database comprises objects arranged in a graph structure.
25. The system of claim 24, wherein database comprises objects arranged in a directed graph structure.
26. The system of claim 18, wherein database comprises replicated partitions.
27. The system of claim 18, wherein database comprises a directory services database.
28. The system of claim 18, wherein the database comprises tables defining relations.
29. A data signal embodied in a computer readable medium, the signal comprising an access rights field of an access control property and a trustee field specifying a positional relationship relative to at least one target object in a database.
30. The data signal of claim 29, further comprising an inheritance indicator.
31. A computer storage medium having a configuration that represents data and instructions which will cause performance of method steps for controlling access to objects and their attributes in a database, the method comprising the steps of: choosing a positional relationship in reference a target object in the database; and furnishing a trustee field with the positional relationship in an access control property associated with the target object.
32. The configured storage medium of claim 31, wherein the method further comprises the step of determining whether a requesting object is in the chosen positional relationship with the target object.
33. The configured storage medium of claim 32, wherein the method further comprises the step of denying a request by the requesting object to access the target object when the requesting object is not in the chosen positional relationship with the target object.
34. The configured storage medium of claim 32, wherein the access control property specifies an access right and the method further comprises the step of denying a request by a requesting object to access the target object when the access sought by the requesting object is not allowed by the access right specified in the access control property.
35. The configured storage medium of claim 31, wherein the method further comprises the step of applying an inheritable access constraint through inheritance.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
December 19, 1998
October 23, 2001
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.